A technology disclosed herein relates to a computer system including a storage apparatus for storing data to be used by a computer. In particular, a technology disclosed herein relates to a technology applicable to a storage apparatus having a function of encrypting data to be stored in a storage medium and decrypting data read from the storage medium, for performing backup and restoration of an encryption key to be used for the encryption and the decryption of data.
In recent years, along with a proliferation of a storage area network (SAN), in which a storage apparatus, a computer, and a management computer are coupled to one another via a dedicated line such as Fibre Channel, a computer system has been increased in size, and there has been developed a technology of efficiently managing ever-increasing enormous amount of data in the computer system described above.
For example, JP 2005-11277 A discloses a storage virtualization technology. According to this technology, a first storage apparatus is coupled to at least one second storage apparatus, and a storage area in the second storage apparatus is provided, as a storage area of the first storage apparatus, to a computer.
According to the technology disclosed in JP 2005-11277 A, the storage area of the second storage apparatus is managed by the first storage apparatus in a unified manner, to thereby reduce a management cost of the computer system.
Also, along with an increase of information leaks due to disk theft or the like in recent years, there is a growing interest in storing and managing data with ensured security. For example, JP 2007-28502 A discloses a storage apparatus which includes an encryption function for encrypting a storage area, and is capable of encrypting data to be read from or written to the storage area.
According to the technology disclosed in JP 2007-28502 A, even in a case where a disk is stolen or the like, data leakage can be prevented.
In the storage apparatus having an encryption function as described above, the management of the encryption key is important. For example, a loss of the encryption key due to a failure in the storage apparatus or an operational error of a user makes it impossible for the storage apparatus to decrypt data in an encrypted storage area. In order to deal with this situation, the encryption keys may be backed up outside or inside of the storage apparatus, and in a case where the encryption key is lost, the encryption keys thus backed up may be restored to the storage apparatus.
However, in restoring encryption keys, the following things need to be taken into consideration. Of the backed-up encryption keys, when an incorrect encryption key is restored to the storage apparatus to read or write data, the data is corrupted. For this reason, it is important to prevent an improper restoration of an encryption key, that is, to verify whether or not a right encryption key is actually restored to the storage apparatus.
JP 2007-148762 A discloses a conventional technology related to the above-mentioned verification. According to JP 2007-148762 A, data in an external storage medium such as a USB memory is allowed to be used when a connection destination of the storage medium is an authorized computer, while the data is not allowed to be used when the connection destination is an unauthorized computer.
According to the technology disclosed in JP 2007-148762 A for determining whether data is allowed to be used or not based on a use destination of the data, for example, in the case of restoring an encryption key in a storage apparatus having an encryption function, the restoration of the encryption key is permitted when the encryption key is of the own apparatus and the restoration is rejected when the encryption key is of any other storage apparatus than the own apparatus, to thereby determine whether or not to restore the encryption key.